AI: Risk and Regulatory Considerations for Irish Regulated Firms
The use of artificial intelligence (“AI”) in the financial sector has been rapidly increasing, offering numerous benefits such as enhanced efficiency, improved customer experience, and new product innovation.
- Published
- in Industry Updates
The use of artificial intelligence (“AI”) in the financial sector has been rapidly increasing, offering numerous benefits such as enhanced efficiency, improved customer experience, and new product innovation.
However, the deployment of AI systems also introduces a range of risks that regulated firms must carefully manage. These risks include operational vulnerabilities; ethical concerns; data privacy issues; and, as we will consider further here, regulatory compliance challenges.
EU AI Act
To meet the envisioned challenges that AI usage may bring, the European Parliament approved the AI Act on 13 March 2024 which aims to ensure safety, protect fundamental rights, and promote innovation. The AI Act is expected to be formally approved by the Council of the EU as early as mid-2024, with various requirements coming into force over the following six months to two years.
The AI Act will have broad applicability to providers and users of AI in both public and private sectors as well as AI systems located in a third country, where the output produced by the system is used in the EU.
The new rules establish obligations for providers and users depending on the level of risk emanating from the AI system. Depending on the risk category (unacceptable; high; limited or minimal risk) different restrictions will apply. The Act also introduces specialised rules applying to providers of ‘General Purpose AI’, reflecting the broad range of applications and potential impacts associated with these systems. This includes a tiered approach to regulation, with additional obligations on providers of General Purpose AI with systemic risk.
Operators, including regulated firms deploying AI tools, will be required to use AI systems in accordance with principles such as transparency of use, privacy and data governance, and social and environmental well-being.
A dedicated AI Office within the European Commission will oversee the AI Act and, in Ireland, the Central Bank of Ireland (“Central Bank”) will regulate high-risk AI used by Irish regulated firms. Notably, for Irish regulated firms, the use of AI to evaluate creditworthiness or establish credit scores for individuals are categorised as high risk.
Current Regulatory Focus on AI
AI technologies are becoming more prevalent in a very fast-moving environment. Ahead of the AI Act’s introduction, regulators (including, the Central Bank) are already focusing on how these systems are integrated into the financial services industry
In its Regulatory and Supervisory Outlook (“Report”) published in February 2024, the Central Bank dedicated an entire spotlight section to AI. While still in its early stages, the Central Bank announced it will be undertaking policy work and developing its supervisory expectations around AI usage by regulated firms. The Report also stated:
“With such a broad spectrum of potential uses for AI, there will be cases where judgements need to be made about whether it is appropriate to use AI for a particular process or business problem. Supervisors will focus on the decision making process around any such judgements to assess whether they are sufficiently transparent, with clarity over who is accountable for any decisions made.”
While acknowledging the benefits and opportunities that AI can present, the Central Bank has been quick to focus on what it refers to as the ‘downside risks’ of AI that the industry “must start grappling with – fast”.
For example, the Central Bank has highlighted the lack of transparency with generative AI models. The reasoning is that if output from generative AI tools is non-transparent, how can it be assured that it is not unfair, biased or otherwise harmful to the interests of consumers. Other risks cited by the Central Bank include misinformation, market manipulation risk and the risk that models trained on common data sets will produce highly correlated outputs that could have financial stability implications.
In the near term, the Central Bank’s supervisory function will take a risk-based and proportionate approach to firm intervention on AI use and will rely primarily on firms themselves (through their board and senior management) to operate in this area responsibly.
Regulated firms already using or planning on introducing AI systems into their business should therefore consider how to effectively manage the risks associated with this new technology.
Effective Risk Management
Effective risk management is essential to ensure that the use of AI aligns with a firm’s strategic objectives and regulatory requirements.
To effectively manage the risks associated with AI, a similar governance framework should be employed for other identified risks which defines clear responsibilities, risk management, monitoring and reporting, as well as escalation and remediation mechanisms.
Irish regulated firms should therefore consider implementing or enhancing robust policies and procedures to take account of the use of AI in the following areas:
- Governance and oversight
- Risk assessment and testing
- Data privacy
- Cyber security
- Outsourcing
- Training
- Incident response and business continuity
- Regulatory reporting
Next Steps
The use of AI by Irish regulated firms presents both opportunities and challenges. By implementing comprehensive risk management practices, firms can harness the benefits of AI while mitigating the associated risks. Through effective risk management, Irish regulated firms can responsibly integrate AI into their operations, maintain the trust of their clients and meet the Central Bank’s expectations.
How We Can Help
Our dedicated Financial Services Regulatory team supports clients across all regulated sectors in Ireland managing regulatory risk, drafting policies, procedures and client documentation, negotiating outsourcing arrangements, assessing corporate governance structures and guiding clients through engagements with the Central Bank from authorisation applications to supervisory and PRISM engagements (including RMPs and interview preparation) and more contentious enforcement issues.
Further Information
Further information on our Irish Financial Services Regulatory Group, and the services we provide is available on our website page and in our brochure.
If you would like to discuss the topics considered here or require any further information, please liaise with your usual Maples Group contact or any of the persons listed below.